Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-9xg6-75mh-7x3f: Cross-site Scripting (XSS) in pimcore

### Impact An attacker can use XSS to send a malicious script to any user. ### Patches Update to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/6970649f5d3790a1db9ef4324bece0d4cb95366a.patch ### Workarounds Apply patch https://github.com/pimcore/pimcore/commit/6970649f5d3790a1db9ef4324bece0d4cb95366a.patch manually. ### References https://huntr.dev/bounties/24d91b83-c3df-48f5-a713-9def733f2de7/

ghsa
Open in Source
#xss#vulnerability#git
GHSA-h3qr-39j9-4r5v: Data written to GitHub Actions Cache may expose secrets

### Impact This vulnerability impacts GitHub workflows using the [Gradle Build Action](https://github.com/marketplace/actions/gradle-build-action) that have executed the Gradle Build Tool with the [configuration cache](https://docs.gradle.org/current/userguide/configuration_cache.html) enabled, potentially exposing secrets configured for the repository. Secrets configured for GitHub Actions are normally passed to the Gradle Build Tool via environment variables. Due to the way that the Gradle Build Tool records these environment variables, they may be persisted into an entry in the GitHub Actions cache. This data stored in the GitHub Actions cache can be read by a GitHub Actions workflow running in an untrusted context, such as that running for a Pull Request submitted by a developer via a repository fork. This vulnerability was discovered internally through code review, and we have not seen any evidence of it being exploited in the wild. However, in addition to upgrading the Gradle ...

GHSA-8595-6653-96p2: phpMyFAQ vulnerable to Stored Cross-site Scripting

phpMyFAQ prior to 3.1.13 has a stored cross site scripting vulnerability in `name` field in add question module. This allows an attacker to steal user cookies.

GHSA-gh24-c683-79r2: Arbitrary code execution in jfinal CMS

Command execution vulnerability in the ActionEnter Class ins jfinal CMS version 5.1.0 allows attackers to execute arbitrary code via a created json file to the ueditor route.

GHSA-ph6g-6v8w-8p6m: Missing rate limit for password resets

Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.

GHSA-fgxj-g7x3-85cq: Stored cross site scripting in RSS displayer

Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.

GHSA-xfmj-r86m-j2hr: Stored cross site scripting on API integration

Concrete CMS (previously concrete5) before 9.2 is vulnerable to stored XSS on API Integrations via the name parameter.

GHSA-474f-mcjv-pgrm: Stored cross site scripting

Concrete CMS (previously concrete5) before 9.1 is vulnerable to Stored XSS in uploaded file and folder names.

GHSA-2ggc-552c-rmqr: Stored cross site scripting on tags

Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS on Tags on uploaded files.

GHSA-f55r-8rcv-mqcf: Missing secure cookie parameters

Concrete CMS (previously concrete5) before 9.2 does not have Secure and HTTP only attributes set for ccmPoll cookies.